As companies continue to strive for efficiency, consistency and flexibility, computers and software executed on computers are increasingly relied upon to automate, semi-automate, enhance, quicken and make reliable and uniform business processes. This is true even in fields of professional service providers, such as financial auditors, and fields in which standardized procedures and documents govern acceptable and “best” practices. For instance, organizations, such as FASAB (Federal Accounting Standards Advisory Board), FASB (Financial Accounting Standards Board), AICPA (American Institute of Certified Public Accountants), IASB (International Accounting Standards Board), the SEC, and PCAOB (Public Company Accounting Oversight Board) promulgate rules and regulations, e.g., GAAS (generally accepted auditing standards), GAAP (generally accepted accounting principles), and IFRS (International Financial Reporting Standards), that govern the way companies are reviewed for integrity of financial accounting and operation. GAAS is principally comprised of ten auditing standards developed by AICPA that establish general standards (3) and standards related to field work (3) and reporting (4), including whether the report is in accordance with GAAP, and related interpretations. In addition, the SEC (Securities and Exchange Commission) provides guidance and laws, such as Sarbanes-Oxley Act (“SOX”) and other laws and regulations provide guidance and requirements for compliance in reporting and other aspects concerning integrity of business operation and management.
In addition, in light of Sarbanes Oxley and other laws governing corporate governance and reporting, the Committee Of Sponsoring Organizations (COSO) has published, e.g., for use by audit professionals in auditing financial statements or corporate compliance officers, a framework for evaluating internal controls used by corporations that are required to report to the Securities Exchange Commission or similar agency. The COSO framework provide a generally recognized appropriate industry/professional standard for performing evaluation of internal controls, including five elements or factors to be considered when evaluating internal controls: 1) control environment; 2) risk assessment, 3; information and communication; 4) monitoring, and 5) control activities.
In the field of auditing, although GAAP and GAAS provide guidelines by which auditors should conduct audits, there is a significant amount of leeway and many variables that leave to the professional and his or her assessments determining the set of procedures required under the particular set of circumstances. This may also depend on the purpose and the intended audience to receive and interpret/rely on the report, and whether the entity being audited is public or non-public or governmental. Whether public or non-public, investors, banks, and other persons of interest rely on financial accounting information when determining whether to invest in a company, grant a loan to a company, merge with a company, etc. Standards are intended to promote best practices and uniformity, and therefore reliability, in the auditing process so that the resulting report may be viewed as unbiased, accurate and trustworthy.
Companies, such as Thomson Corporation, provide tools, resources and services to assist accountants and auditors. For instance, Thomson PPC's e-Practice Aids is a series of titles or Guides that give guidance and provide materials and procedures consistent with standards, e.g., PPC's Guide To Audit Of Nonpublic Companies, 25th Edition, January 2007. Auditors may rely on the Guides or titles in conducting audits. Electronic tools, for instance Thomson's e-Tools, and electronic versions of guides, Thomson e-Practice Aids, help auditors take their tools and resources with them when conducting field work or may make them accessible from remote locations or at least electronically. Computers are also helpful in collecting client data and capturing assessment data. What is needed is an integrated system for conducting audits and for processing collected and risk related assessment data to determine and generate and present a suggested audit approach and set of procedures consistent with relevant standards and guides.
Associated with audits, as well as in-house efforts to establish and maintain internal control practices, SOX 404 requires public companies to (i) establish, maintain, and assess their internal control over financial reporting and (ii) obtain an opinion of their independent auditors as to the effectiveness of their internal control. One overriding goal of internal control over financial reporting is to promote the preparation of reliable financial statements. Assessing internal control practices is essential to identify material weaknesses and risks that may cause a material misstatement in the financial statements.
The SEC, in its Statement on Management's Report on Internal Control Over Financial Reporting, provided guidance in the area of internal controls. This SEC Guidance stated that management and auditors must use reasoned judgment and a top-down, risk-based approach to compliance with SOX 404. In addition, the SEC provided that the internal control audit and the financial statement audit should be integrated and that internal controls over financial reporting should be tailored to reflect the nature and size of the company. Also, the SEC recommended frequent dialogue between a company and its auditors to promote improved internal controls and improved financial reports. The SEC Guidance also recommended customizing internal control testing programs and stated that a “risk-based” approach to internal control testing should be used.
Risk-based testing requires management to prioritize areas of the company's financial statements according to relative levels of risk of misstatement. The risk-based approach requires extensive testing of related controls. In taking a “top-down” approach, the SEC guided management to identify controls related to each relevant area of a company's financial statements and to design appropriate documentation and testing procedures relative to each such area's risk level. However, the SEC provided that testing programs should be designed to assess those internal controls that affect the reliability of financial reporting and lead to “reasonable assurance” of reliability and not absolute assurance. Accordingly, testing programs need not test every step but must be sufficient to support a conclusion that the process meets the control objective. SEC guides that testing programs should focus on the objective of controls in determining the overall effectiveness, rather than individual steps. Where a control deficiency is uncovered through testing and assessment, a quantitative analysis is performed to determine its level of significance.
While the SEC guidelines are directed primarily to management, the PCAOB directs its guidance to professionals involved in providing audits. PCAOB guidance provides that auditors should integrate the internal control audit with the financial statements audit; exercise judgment to tailor audits to specific risks; use a top-down approach that begins with company-level controls to identify for further testing only the accounts and processes that are relevant to internal control over financial reporting; use risk assessment to remove accounts and processes that represent a remote risk of material misstatement. The PCAOB guides auditors to review and assess whether client systems of internal financial controls provide reasonable assurance that financial statements do not contain material misstatements. PCAOB guides auditors to take a “top-down” approach in audits of internal controls, meaning that auditors should first concentrate on company-level controls and then on significant accounts and to examine significant processes and before individual controls. This steers the audit toward areas of higher risk and away from those not likely to have a material impact on financial statements. The PCAOB guides auditors to use a risk-based approach in auditing internal controls to reduce costs while increasing audit effectiveness by focusing efforts on areas of higher risk.